Skip to Content

Configure BOBJ AC 5.3 CUP that workflows only appear if violations detected

Hello GRC folks!

Today we configure BusinessObjects Access Control 5.3 SP8 Compliant User Provisioning (CUP).

What we want to do is to

  • approve requests automatically if the risk analysis found no violations
  • start a workflow with manual approval/mitigation/denial process if risk analysis found violations for the request

 Motivation is that you

  • want as little manual system interaction for your approvers as possible
  • possibly have an integrated scenario with Identity Management and a (manager) approval has already been done on the Identity Management (IdM) application side
  • only want to involve approvers, if violations arise

Big picture is that you configure

  • a workflow A with your initiator and a stage with approver determinator  “NO STAGE”
  • a workflow B for the detour with your stage(s) you want to have if violations were found
  • a detour for A which detours to B if SoD violations were found for the request
  • the parameter “Risk Analysis on request submission” to “YES”

CUP should now behave like this

  • Request comes in (manually or via web service from IdM)
  • Risk Analysis (CUP calls RAR via web service) is done and results saved in request
  • Initiator activates your workflow A
  • Detour checks if conditions are met
  • Two options
  •   ->1. No violations found, workflow A goes to stage “No Stage”, approves automatically and optional does autoprovisioning
  •   ->2. Violations found, Detour conditions met, detour from A to B, request arrives at first stage configured in workflow B with all options of CUP (approval, denial, mitiagation,etc.)

Now some screenshots to visualize the configuration

  • Parameter to set (Goto->Configuration->Risk Analysis)


  • Initiator (could be any condition for your use case)


  • Stage with “No Stage” approver determinator


  • The two workflows you need


  • First workflow with no stage


  • Detour workflow if violations detected


  • Detour configuration


Hope this helps your business!

Best regards,

PS: Special thanks to the mastermind of this idea Frank Koehntopp.

1 Comment
You must be Logged on to comment or reply to a post.